From: Reindl Harald Date: May 14 2012 2:54pm Subject: Re: MySQL Community Server 5.1.63 has been released List-Archive: http://lists.mysql.com/mysql/227430 Message-Id: <4FB11CBA.6080207@thelounge.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig6E6F150CE345784CA09BD1C1" --------------enig6E6F150CE345784CA09BD1C1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 14.05.2012 16:50, schrieb Johan De Meersman: > ----- Original Message ----- >> From: "Govinda" >> >> 1.) Is anyone *who knows what he is doing* still using >> mysql_real_escape_string()? Ever? >=20 > I seem to vaguely remember someone showing me some code that would bypa= ss escaping; but I didn't really pay a lot of attention, to be honest :-)= >=20 > Personally I haven't used escapes in ages, for the simple reason that p= repared statements are just that much more convenient - and even if MySQL= doesn't do a lot with it for the time being, they also allow for some ve= ry nifty in-server optimizations using cached query plans and similar nif= ties. Using them is a good habit for three reasons: > 1) it makes you immune to SQL injections, at least as effectively as e= scaping; > 2) if MySQL finally gets around to implementing an execution plan cach= e, you'll start benefiting without having to lift a finger > 3) you won't need to learn new ways of working if you need to code on = different databases :-) but what about the dramatical reduced query-cache hits i see in some peace of software switching to prepared statements? dbmail2 as example had around 300 sql-actions per second dbmail3 using prepared statements currently around 1000 per second i can not imagine any better performance in a php-script since it is stateless and you have to do the whole prepare in each request --------------enig6E6F150CE345784CA09BD1C1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+xHLoACgkQhmBjz394AnlPKwCfTh2Nc99gv4hg8Ifu/YIvjBfs rYYAnA+8Yissa7NSdWflDa4L9+qc2U+P =FMlN -----END PGP SIGNATURE----- --------------enig6E6F150CE345784CA09BD1C1--